Objectives

• Be able to analyze the principles of cyber security.

• Understand types of Access Control Models

• Understand what Policies, Standards and

Procedures are
• Understand How to Plan , design, Implement and
Administer Secured Systems
 Cyber Security Fundamentals:
Principles of CS
• The following are some of the major principles
of cyber Security
– Principles of Least Privilege
– Defense in Depth
– Minimization
– Compartmentalization.
– Keep Things Simple
– Fail Securely
 Least Privilege
• The principle of least privilege stipulates, “Do not give
any more privileges than absolutely necessary to
do/perform the required job”. The principle of least
privilege reduces the number of privileges that may be
potentially abused and therefore limits the potential
damage.
Examples
• Giving users read only access to shared files if that’s what they
need, and making sure write access is disabled
• Not allowing help desk staff to create or delete user accounts if
all that they may have to do is to reset a password
 Defense in Depth
• The principle of defense in depth is about having more than
one layer or type of defense. The reasoning behind this
principle is that any one layer or type of defense may be
breached, no matter how strong and reliable you think it is,
but two or more layers are much more difficult to breach.
• Defense in depth works best when you combine two or
more different types of defense mechanisms—such as using
a firewall between the Internet and your LAN, plus the IP
Security Architecture (IPSEC) to encrypt all sensitive traffic
on the LAN. In this scenario, even if your firewall is
compromised, the attackers still have to break IP Security to
get to your data flowing across the LAN.
 Minimization
• The minimization principle is the cousin of the least
privilege principle and mostly applies to system
configuration. The minimization principle says “do not
run any software, applications, or services that are not
strictly required to do the entrusted job.”
• To illustrate, a computer whose only function is to
serve as an e-mail server should have only e-mail
server software installed and enabled. All other
services and protocols should either be disabled or not
installed at all to eliminate any possibility of
compromise or misuse.
 Compartmentalization
• Compartmentalization, or the use of compartments
(also known as zones, jails, sandboxes, and virtual
areas), is a principle that limits the damage and
protects other compartments when software in one
compartment is malfunctioning or compromised.
• Applications run in different compartments are isolated
from each other. In such a setup, the compromise of
web server software, for example, does not take down
or affect e-mail server software running on the same
system but in a separate compartment.
 Keep things simple
• Complexity is the worst enemy of security.
Complex systems are inherently more
insecure because they are difficult to design,
implement, test, and secure. The more
complex a system, the less assurance we may
have that it will function as expected.
 Fail Securely
• Although fail securely may sound like an oxymoron, it isn’t.
Failing securely means that if a security measure or control
has failed for whatever reason, the system is not rendered
to an insecure state.
• For example, when a firewall fails, it should default to a
“deny all” rule, not a “permit all.” However, fail securely
does not mean “close everything” in all cases; if we are
talking about a computer-controlled building access
control system, for example, in case of a fire the system
should default to “open doors” if humans are trapped in
the building.
• Main Objective is to secure even when in a failed state.
 Access Control Models
• Access control is the method by which systems
determine whether and how to admit a user into a
trusted area of the organization—that is,
information systems, restricted areas such as
computer rooms, and the entire physical location.
• Access control models define how computers enforce
access of subjects (such as users, other computers,
applications, and so on) to objects (such as computers,
files, directories, applications, servers, and devices).
 Types of Access Control Models
• Three main access control models exist:

– The discretionary access control

model(DAC),
– The mandatory access control model(MAC),
and
– The role-based access control model(RBAC).
Discretionary Access Control (DAC)
• Discretionary Access Control (DAC) allows each user
to control/decide access to their own data/resources.
Owner can set any desired permissions
• In the DAC model, the owner (creator) of information
(file or directory) has the power to decide what
resources a user may access and in what manner that
access may occur on the object in question. i.e. Owner
can choose to give read or write access to other user
• DAC is typically the default access control mechanism
for most desktop operating systems
 Mandatory access control
• The Mandatory Access Control or the MAC: This system does not
allow the owners to have the privilege of deciding who and what
access will be granted to.
• In a MAC model, the system dictates what level of access may be
granted to a resource.
– Hospital owns patient records and limits their sharing
• Regulatory requirements may limit sharing e.g HIPAA regulation for health information
• In MAC, each collection of resources and users are labeled to specify
the level of information that user may access. These security labels
contain two pieces of information: data classification (top secret,
confidential etc) and user category/clearance.
• Then, each user are granted to access resources according to its labels.
• MAC model is primarily used by the government.
 Information Classification
• Why classify?
– Among the information available in the enterprise there are
(approx.)
– 10% confidential information
– 80% internal use information
– 10% public information
– It would be a big waste of resources to give the same level of
security for all the information
– You don’t put everything you own in a safe!
• What is a confidential information
– Information, if disclosed ,could
• Violate privacy of individuals
• Reduce company’s competitive advantage
• Cause damage to the organization
 Cont’d
• Many organizations classify information into
different classes of security
• Examples of Information Classification
– Top Secret, Confidential, Restricted, Internal Use,
Public
– Company confidential Red, Company confidential
Yellow, Company confidential Green, Company
Public
 Cont’d
Tips
•How to develop classification levels (standards)

– Discuss with other organizations’ specialists and learn

from their experiences

– Discuss with the management of your organization

– Prepare a draft and discuss it with the management

– Avoid the temptation of having too many levels

 Role-Based Access Control (RBAC)
• In RBAC, rights and permissions are assigned to roles
instead of individual users. i.e. the access granted to a
resource is strictly based on the role that the subject holds
in the organization rather than individual users.
Users Role Rights
• In RBAC, Most individuals have a certain number of
privileges in accordance with their roles. i.e. RBAC model
does not provide to an individual users additional
permissions over and above those available for their role.
• This added layer of abstraction permits easier and more
flexible administration and enforcement of access
controls.
 Cont’d
• Access control in organizations is based on “roles
that individual users take on as part of the
organization”
• A role is “is a collection of permissions”
• Access depends on function, not identity
– Example: Allison is bookkeeper for Math Dept. She
has access to financial records. If she leaves and
Betty is hired as the new bookkeeper, Betty now has
access to those records. The role of “bookkeeper”
dictates access, not the identity of the individual.
 Advantage RBAC
• Policy need not be updated when a certain
person with a role leaves the organization. It is
not associated with a person
• New employee should be able to activate the
desire role
• Revisiting least privilege
 Cont’d
• RBAC is better in situation in which we want
to assign the rights not to the people, but to
the specific job.
• MAC and RBAC is better in situation where we
want to avoid that an user can manage the
rights.
 Elements provided from ACS
• Access control systems provide the essential services of
identification and authentication (I&A), authorization, and
accountability to restrict what resources a user may
access and in what manner that access may occur (read,
write, execute a program, modify, etc.).
– identification and authentication determine who can log on to a
system, and the association of users with the software objects
that they are able to control as a result of logging in;
– authorization determines what a subject can do;
– accountability identifies what a subject (or all subjects
associated with a user) did.
 Cont’d
• Identification is a way to describe the principal, e.g. username,
email, First + Last name, etc.
• Authentication: the process of validating a supplicant’s purported
identity, is really who he says.
• Authenticators are commonly based on at least one of the following
four factors:
• Something you know, such as a password or a personal identification
number (PIN). This assumes that only the owner of the account
knows the password or PIN needed to access the account.
• Something you have, such as a smart card or security token. This
assumes that only the owner of the account has the necessary smart
card or token needed to unlock the account.
 Cont’d
• Something you are or Can Produce , such as fingerprint, voice,
retina, or iris characteristics.
• Accountability: uses audit trails (records) and logs to associate a
subject with its actions.
• Audit trails and logs are important for Detecting security
violations, Re-creating security incidents
• These reports help a system administrator or security
administrator to more easily identify possible break-in attempts.
• If no one is regularly reviewing your logs and they are not
maintained in a secure and consistent manner, they may not be
admissible as evidence.
IS Security: Policies and Procedures
• A policy is a high-level statement of enterprise
beliefs, goals, and procedures and the general
means for their attainment. Policy typically includes
general statements of goals, objectives, beliefs, ethics, controls, and
worker responsibilities.
• Standards are mandatory requirements that
support individual policies
• Procedures are mandatory step-by-step, detailed
actions required to complete a task successfully
• Guidelines are similar to standards but are not
mandatory
 Developing policies: A good policy
should
• Be easy to understand (By all people who will have to read the
policy)
• Be applicable (Don’t copy others’ policy word by word since it may
not be applicable to you)
• Be do-able (There strictions should not stop work!)
• Be enforceable (If it cannot been forced, it will probably remain on
paper)
• Be phased in (Organizations need time to digest policy)
• Be proactive (Say what needs to be done rather than what is not
allowed)
• Avoid absolute (Be diplomatic)
• Meet business objectives
– Should lower the security risks to a level acceptable by the organization
without hampering the work of the organization to an unacceptable level
 Developing policies: There are
three types (Tiers) of policies
• Global policies (Tier1)
– Used to create the organization’s overall vision
and direction
• Topic specific policies (Tier2)
– Address particular subject of concern
– Ex. Antivirus, E-mail
• Application-specific policies(Tier3)
– Decisions taken by management to control
particular applications
– Ex. Accounting system
 Developing standards
• Standards define what is to be accomplished in specific terms
• Every industry has standards that try to insure some quality of
product or service, or enable interoperability
• Many industry standards have information security issues
– Ex. Banking, Healthcare
• Some of the standards become national regulations and
organizations will have to follow that
• Organizations can also develop their own standards (enterprise
standards)
• Standards are easier to update than global policies
• Standards have to be reviewed regularly (every year for
example)
 Cont’d
• Standards must be
– Reasonable
– Flexible
– Current
– Practical
– Applicable
– Reviewed regularly
• Standards should enable the enterprise to fulfill its
business objectives while minimizing the security
risks
 Developing Procedures

• Developing a procedure should be faster than developing a

policy since it does not need to be approved by management
• The best way to write a procedure is to use a technical writer
(different from the subject matter expert – SME)
• Procedure writing process
– Interview with the SME
– Preparation of a draft
– Review of the draft by the SME
– Update of the procedures based on the comments
– Final review by SME
– Update of the procedures based on the comments
– Testing of the procedures
– Publishing of the procedures
• The procedures should also be reviewed regularly
 IS Security Governance

• Governance of Information security is a part

of information systems governance
• Introduces a new position under the CIO.
• CISO-Chief Information Security Officer
• Is the head of Information Security in the
organization.
Organizational structure for
security Implementation
 The IS Security Governance Hierarchy

• The chief information security officer (CISO) has

primary responsibility for the assessment,
management, and implementation of information
security systems in the organization.
• The CISO usually reports directly to the CIO, although
in larger organizations it is not uncommon for one or
more layers of management to exist between the two.
• However, the recommendations of the CISO to the CIO
must be given equal, if not greater, priority than other
technology and information-related proposals.
Planning, Designing and Implementing
Secured systems
• Usually security consideration are a underestimated in the
Development of an Information System.
• Security is usually perceived as a technical-only issue and
common practice considers security requirements in isolation of
the functional requirements of an information system.
• Information Systems are developed using a standard development
approach -SDLC
• The development approach doesn’t include security considerations
• Recently there has been organizations working on an Information
Security Framework.
• The well-known security frame work is C&A (Certification and
Accreditation) process of NIST (National Institute of Standards and
Technology).
C&A: Phases/Process to security
with SDLC
 C&A
• Certification and Accreditation (C&A)is a
process for implementing information
security.
• It is a systematic procedure for evaluating,
describing, testing and authorizing systems
prior to or after a system is in operation.
• The C&A process is used extensively in the
U.S. Federal Government.
 C&A: what are they?

• Certification is a comprehensive evaluation of the technical

and non-technical security controls (safeguards) of an
information system to support the accreditation process
that establishes the extent to which a particular design and
implementation meets a set of specified security
requirements.
• Accreditation is the formal declaration by a senior agency
official (Designated Accrediting Authority (DAA) or Principal
Accrediting Authority (PAA)) that an information system is
approved to operate at an acceptable level of risk, based on
the implementation of an approved set of technical,
managerial, and procedural security controls (safeguards).
The Secured Systems Development
Process
• Has five basic phases which can be aligned
to the Waterfall Model/SDLC phases
– Initiation Phase
– Development/Acquisition
– Implementation/Assessment
– Operational/Maintenance
– Disposal
 What we do at Initiation phase

• During this phase, security requirements at an

enterprise level are identified.
• Key activities include:
• Initial delineation of business requirements in terms
of confidentiality, integrity, and availability
• Determination of information categorization and
identification of known special handling
requirements to transmit, store, or create
information such as personally identifiable
information
• Determination of any privacy requirements.
 What we do at Development &
Acquisition phase
• During this phase, technical and functional
requirements are translated in to an actual plan for
an information system.
• Key activities include:
• Conduct the risk assessment and use the results to
supplement the baseline security control
• Analyze security requirements
• Perform functional and security testing
• Prepare initial documents for system certification
and accreditation
• Design security architecture.
 What we do at Implementation/
Assessment phase
• During this phase, the system will be installed and
evaluated in the organization’s operational
environment.
• Key activities include:
• Integrate the information system into its operational
environment
• Plan and conduct system certification activities in
synchronization with testing of security controls; and
• Complete system accreditation activities
 What we do at
Operations/Maintenance Phase
• In this phase,
• systems are in place and operating,
• enhancements and/or modifications to the system are
developed and tested
• hardware and/or software is added or replaced.
• The system is monitored for continued performance in
accordance with security requirements and needed system
modifications are incorporated.
• The operational system is periodically assessed to
determine how the system can be made more effective,
secure, and efficient
 Operations/Maintenance…

• Key activities include:

• Conduct an operational readiness review
• Manage the configuration of the system
• Institute processes and procedures for
assured operations and continuous
monitoring of the information system’s
security controls.
 What we do at Disposal phase

• This phase is important for disposal of a

system and closeout of any contracts in
place.

• When information systems are transferred,

become obsolete, or are no longer usable, it
is important to ensure that organizational
resources and assets are protected.
 Disposal phase cont’d…

• Key activities include:

• Build and Execute a Disposal/Transition Plan;
• Archive of critical information;
• Sanitization of media.
• Disposal of hardware and software.
 Security Consideration in SDLC

7 -Risk management in this context refers to risk associated with the

development and not computer security or system technical risk.
Security Consideration in SDLC-
Summary
SDLC & (C&A)